The sorry state of cyber-security in the United States has made the
nation vulnerable to attacks on its entire infrastructure, from the
Internet to the national power grid, according to a Washington-based
think tank. Now it’s up to solution providers to help accomplish what
the federal government has not been able to–lock down our
cyber-borders.
A report issued this week by the U.S. Center for Cybersecurity noted
that the nation is poised for an attack on its infrastructure largely
because of poor oversight and lack of policy on and regulation of
network security on a national scale.
But through a collaborative effort with both public and private
companies—and their solution provider partners—the federal government
has the ability to stem the bleeding of sensitive information to
hackers, identity thieves, unfriendly countries and corporate spies,
the commission says.
“America’s failure to protect cyberspace is one of the most urgent
national security problems facing the new administration that will take
office in January 2009,” the report states. “In the new global
competition, where economic strength and technological leadership are
as important to national power as military force, failing to secure
cyberspaces puts us at a disadvantage.”
In addition to recommending that the Obama administration create a
Center for Cybersecurity Operations and appoint a national cyber
adviser, the report recommends a comprehensive cyber-security policy
for all government agencies and a new focus on collaboration with the
private sector to further security policies.
“We [as a country] need to get away from air of plausible
deniability,” says Tom Kellerman, vice president of security awareness
at Core Security Technologies and a member of the commission. “The real
leadership in corporations is not aware of vast operational and
technical risks associated with the use of technology and the overuse
to manage technology risk. We are too technologically dependent.”
Solution providers are front and center in this brave new world of
public-private cyber-security policymaking, from identifying the leaks
to making recommendations that won’t impinge on individual freedoms.
Kellerman recommends four steps solution providers can take with their
customers to keep their systems safe from attack and help lock down the
nation’s infrastructure:
- Allow customer contracts to be rewritten to include security. “Move
away from SLAs,” he says. “The best thing solution providers can do is
to make security the highest priority in customer contracts.”
- Demonstrate that you’re penetration-testing your systems and those
systems with which you are interacting, and ask your customers to do so
as well. “I hate to say it, but it is the same reason why you get a
blood test when you get married,” Kellerman says.
- Improve authentication systems. “Passwords have to go away,” he
says. “It is such primitive technology, and we need to get past that.”
- Demonstrate you have a real incidence-response capability with a
forensics component. “It’s not enough to say you have it;
solution providers have to prove it,” he says. “Good security is as
much about determining the source of the breach and where that
information is going as it is finding the breach.”
Solution providers have an opportunity to help make policy on
national cyber-security based on the dealings with their customers.
“This isn’t a technology issue anymore,” Kellerman says. “The
fundamental question is, how do you combine policy and procedure to
solve this crisis?
“It’s not as much about mandating draconian standards as it is
proving that you’re meeting the standards,” Kellerman adds. Because of
that, “I believe it’s coming that both public and private companies
will have to meet a minimum standard for security.”